New Rules To Protect Your Privacy
If you are like most Americans, you are bombarded everyday with junk mail and telemarketer calls that seem to be targeted directly to you and to your circumstances. How do these telemarketers or advertisers know that you have a newborn baby and that you have an interest in investment opportunities? Many of the places that you do business with compile lists about you and sell these lists to telemarketers. Is this legal? Is it ethical? What if you do not want your credit information shared with others? Congress has listened to these complaints and, in 1999, passed the Gramm-Leach-Bliley Act. This Act was designed to ensure that the consumer/client/customer is aware of the "financial institution's" use of nonpublicly available information so that consumers can advise the financial institution that they do not want their information used according to the financial institution's current policy.
What exactly does the Act do?
The Act imposes various requirements on financial institutions' use of their customers' personal information. The key protection found within this Act is that before a financial institution can disclose any "nonpublic personal information" about one of its customers to an outside party, the financial institution must give the customer notice of any potential disclosure and must give the customer the opportunity to "opt out" of having the information disclosed to third parties.
Who must comply with the Act?
Generally, this law applies to any "financial institution." The Act defines a financial institution as an entity who is significantly engaged in providing an individual financial products or services. Entities explicitly subjected to this law include, for example, mortgage lenders/brokers, finance companies, check cashers, collection agencies, tax preparation firms, credit counselors and other financial advisors.
Who is protected under the Act?
Generally, a consumer who has a customer relationship with the financial institution is protected under the Act. A consumer is defined as an individual who obtains financial products or services for primarily personal, family, or household purposes from the financial institution. For example, a person who owns a personal credit card would be a consumer. The financial institution must comply with the Act and give notice regarding disclosure of nonpublic personal information to the credit card owner. However, if the credit card owner is a business entity, then the financial institution does not have to give notice about its disclosure policies.
What is required?
All financial institutions must be in compliance with the Act by July 1, 2001. In order to be in compliance with the Act, financial institutions must have a system in place for providing new and existing customers with an initial and an annual notice of the financial institution's use of the customer's nonpublic personal information. Financial institutions must effectively deliver to their current customers the "initial notice" by July 1, 2001. After July 1, all new customers must be given an "initial notice" when the customer relationship begins. The annual notice, which can be almost identical to the initial notice, must be given once in every 12 consecutive month period during which the relationship continues. The 12-month period does not have to coincide with the calendar year. The financial institution can define any 12-month period, but once established, it must be adhered to on a consistent basis.
What must be included in the privacy notice?
Both the initial and the annual notice have the same seven main requirements. These requirements must be met or the notice fails and any disclosure made will be in violation of the Act. The notice must state the following:
1. The categories of non-public personal information that is collected.
2. The categories of non-public personal information that is disclosed.
3. The categories of affiliated and non- affiliated third parties to whom is disclosed non-public personal information that is not covered under an exception.
4. The categories of non-public personal information that is collected and disclosed regarding former customers.
5. An explanation of the consumer's right to opt out, including the method by which the consumer may exercise that right. The notice must give the consumer at least 30 days in which to respond in order to opt out, before the financial institution can disclose the non-public personal information to the third party. Furthermore, the consumer also has the right to have a "partial opt out" which means that the consumer can allow the financial institution to disclose certain information but not other information.
6. Any disclosure that is made under the Fair Credit Reporting Act regarding the ability to opt out of disclosures of information among affiliates.
7. The policy and practices with respect to protecting the confidentiality and security of non-public personal information.
In addition to the above clauses that must be included in the notices, the Act also has several requirements regarding the design of the notice. The Act requires that the notices be designed to call attention to the notice, such as bold writing, wide margins, and shading or sidebars. In addition, the notice must be clear and understandable to read to the average consumer.
What is effective delivery?
The financial institution must deliver these notices effectively to the appropriate consumers. The most common way to effectively deliver the notice to the consumer is to either hand deliver or mail the notice to the last known address of the consumer. Posting a notice on the facility door is not effective delivery under the Act. For those financial institutions that are web savvy, posting the annual notice to a website is sufficient, but only under limited circumstances and only for limited consumers. Finally, oral notification, either in person or by phone, is not acceptable notification.
Because every business entity is unique and may collect or disclose consumer information differently, a blanket or general "notice policy" is not sufficient to comply with the Act.
